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(S) Data authentication system. 

(57) In a data communication system a plurality of 
users are equipped with respective devices for 
computation and authentication of message 
authenticators. Each device stores a common 
cryptographic function ; a common secret key 
and a respective non-secret offset for the key. 
They are programmed to perform the functions 
of: (i) computing and outputting an authen- 
ticator for an entered message using the cryp- 
tographic function and key combined with the 
respective offset ; and (ii) computing an authen- 
ticate for an entered message using the cryp- 
tographic function and key combined with any 
entered offset, comparing that authenticator 
with one received with the message and dis- 
playing a "pass" or "fail" decision. The de- 
vices are incapable of displaying or otherwise 
outputting any authenticator computed using 
any offset other than its respective stored offset, 
however. In this way it can be ensured that a 
transmitted authenticator can act as a verifiable 
"signature" to a message uniquely identifying 
the sender. 
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The present invention relates to data communica- 
tions and more particularly is concerned with techni- 
ques for the authentication both of messages flowing 
across a communications network and of their sen- 
ders - factors of great importance e.g. in the field of 
electronic funds- transfer and for other systems carry- 
ing financial or other commercially-sensitive informa- 
tion. 

In such systems it is clearly important to be able 
to detect at the receiving end any active attack upon, 
or other corruption of, a message which might have 
taken place in the course of its transmission across 
the network. An active attack might take the form of 
an interceptor adding, removing or altering informa- 
tion in the message with criminal or vexatious intent. 
While it may be almost impossible to prevent an active 
attack t here are various mechanisms which aim to en- 
sure that such an attack will be detected and hence 
can be rendered nugatory. The most common de- 
pends upon the generation, prior to transmission, of 
a cryptographic check-sum or message authentica- 
tion code - termed herein an "authenticator 0 - from the 
information contained in the message, which is then 
appended to the message for transmission. The theo- 
ry underlying this approach is that if the recipient him- 
self computes the expected authenticator from the 
message as received using the same cryptographic 
transformation, and finds it to disagree with the au- 
thenticator actually received with the message, then 
he will know that the message has been altered in 
some way. If on the other hand the expected and re- 
ceived authenticators match then he knows with a 
high degree of probability that the message has not 
been altered, that probability increasing with the 
length of the authenticator. An example of this in com- 
mon usage is the system described in American Na- 
tional Standards Institute (ANSI) standards X9.9 and 
X9.19. Within these standards the cryptographic al- 
gorithm is the Data Encryption Algorithm as descri- 
bed in ANSI X3.92, the cryptographic key is a 56-bit 
DEA key and the authenticator is a 32-bit value ap- 
pended to the message. 

The success of such a system of message au- 
thentication of course depends on maintaining the se- 
crecy of the cryptographic key from would-be inter- 
ceptors. In any such system the same key must, how- 
ever, be known to, or at least available for the com- 
putation of authenticators by, both the sender and re- 
cipient, fn known systems this raises the possibility 
that one user might impersonate another and, since 
the foregoing possibility exists, that a user might at- 
tempt to repudiate a genuine transaction. That Is to 
say, while a recipient may be certain from the con- 
tents of a received authenticator that any given mes- 
sage was received in the form in which it was origi- 
nally sent, the authenticator itself cannot guarantee 
that the sender was the person whom the message 
purports it to be because the same authenticatorgen- 
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erating key is available to all users. 

The present invention seeks to address this prob- 
lem and accordingly in one aspect resides in a data 
communication system in which a plurality of users 

5 are equipped with respective devices each for the 
computation and for the verification of message au- 
thenticators; each such device storing a common 
cryptographic function, a common secret crypto- 
graphic key and a respective non-secret offset for 

10 said key; and each such device being programmed to 
perform selectably the functions of: (i) computing and 
ou (putting an authenticator for a message inputted to 
the device, using said cryptographic function and said 
key combined with the respective stored offset; and 

15 (ii) computing an authenticator for a message input- 
ted to the device, using said cryptographic function 
and said key combined with an inputted offset, com- 
paring that authenticator with an authenticator input- 
ted to the device and outputting an indication of veri- 

20 f ication or non-verification based on said comparison; 
but each said device being incapable of outputting an 
authenticator computed using said cryprographic 
function and said key combined with any offset other 
than its respective said stored offset An "offset" in 

25 this invention is a value which effectively modifies the 
common cryptographic key in a respective manner. 

In the operation of this system for message au- 
thentication a received authenticator will only be veri- 
fied by a recipient if he has performed the aforesaid 

30 function (ii) using the key offset which corresponds to 
the device of the sender of the message. An essential 
feature of the system, however, is that the only user 
who can output (and thus transmit) an authenticator 
using the offset which corresponds to his own device 

35 is that user himself. The authenticator can therefore 
act as a verifiable "digital signature" identifying the 
sender of a message, the value of this offset effec- 
tively being the sender's ID within the system. 
It is important that the (unmodified) common key 

40 stored in the devices of this system remains secret, 
but the offsets corresponding to respective users 
need not Indeed the sender's respective offset must 
be made known to the recipient In order for him to per- 
form the authenticator verification function. If a user 

45 should send a message with an authenticator com- 
puted with his own device and respective offset but 
purports to be some other user, however, the re- 
ceived authenticator will not match the authenticator 
computed by the recipient using the purported user's 

so offset and he will therefore know that the message is 
not genuine. Furthermore, the knowledge of 
users' offsets by an unauthorised person does not 
provide any means for subverting the system without 
knowledge also of the common key. 

55 The invention also resides per se in an aforesaid 
device for use in the above-defined system. In a pre- 
ferred embodiment each such device is in the form of 
a portable token akin to a hand-held calculator, hav- 
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ing a key pad for the entry of message data, authen- 
ticators to be verified and corresponding offset val- 
ues, and for entering the commands to perform the 
aforesaid functions (t) and (ii), and a display for indi- 
cating computed authenticators and verification or 
non-verification decisions. Additionally or alternative- 
ly an electrical interface may be provided for the direct 
input and output of messages and authenticators 
from/to an associated terminal apparatus. The phys- 
ical and electrical construction of the token should be 
such as to prevent anyone from reading the secret 
common key, changing the stored offset value or 
changing the functionality of the token - and in par- 
ticular from deriving an output of any authenticator 
computed during the first phase of the above-defined 
verification function (ii). In practice this can readily be 
achieved by implementing all of the token's functions 
in a single microprocessor chip. 

In another aspect of the invention, since any 
message with its corresponding authenticator will 
serve to verify its sender the same equipment as pro- 
vided in the above-defined system can be used pri- 
marily for the purpose of verifying members of a group 
using a communications network, in circumstances 
which do not require the authentication of messages 
as such, but where possession of an authorised de- 
vice is a prerequisite to membership of the group. For 
example there can be considered a distributed data- 
base system to which a large number of different 
users may wish to obtain access. Each database op- 
erator might not need to know the individual identities 
of all of the users who may request access at any time 
but does need to know that any person to whom ac- 
cess is to be given has been authorised by the allo- 
cation of a said device. In this aspect the user who 
wishes to verify the authenticity of another user gen- 
erates a random number which is issued as a "chal- 
lenge" to that user. This number is then processed by 
that user in accordance with function (i) of his device, 
where the "challenge" number constitutes the input- 
ted message in the invention as defined above, and 
outputs a "response" number (which constitutes the 
authenticator computed for that message). This "re- 
sponse" number, together with that user's offset, is 
then transmitted to the first user who uses his own de- 
vice (or equivalent) to perform the verification func- 
tion (ii) of the invention where the "challenge" number 
constitutes the inputted message and the "response" 
number constitutes the inputted authenticator. 

The invention wili now be more particularly exem- 
plified with reference to the accompanying drawings 
in which:- 

Figure 1 is a diagram illustrating the functions 
performed in computing and verifying an authen- 
ticator in connection with the transmission of a 
message in a system according to the invention; 
Figure 2 is a diagram illustrating the functions 
performed in computing and verifying a response 



to an identification challenge in a system accord- 
ing to the invention; and 
Figure 3 is a perspective view of an individual tok- 

5 en for use in a system according to the invention. 

Referring to Figure 1 , this illustrates two user sta- 
tions A and B within an overall data communication 
system comprising many such stations between 
which messages are sent, e.g. payment instructions 

w within a banking network. 

At each station the user is equipped with a re- 
spective electronic token for use in computing au- 
thenticators to be appended to messages sent by that 
user and for verifying authenticators received with 

15 messages from other users. Each such token has 
been initialised with a common cryptographic func- 
tion (e.g. the Data Encryption Algorithm of ANSI 
X3.92), a common secret cryptographic key and an 
individual offset value for that key. Each token has 

20 also been programmed to perform two distinct func- 
tions, namely: (i) to compute and display an authen- 
ticator from an inputted message using the common 
cryptographic function and the common key as modi- 
fied by that token's own stored offset; and (ii) to com- 

25 pute an authenticator from an inputted message us- 
ing the common cryptographic function and the com- 
mon key as modified by an inputted offset, compare 
it with an inputted authenticator and display the result 
of that comparison as a pass or fail; but it cannot per- 

30 form any other function using the secret key. In par- 
ticular, the token cannot display or otherwise output 
any authenticator computed in the course of its veri- 
fication function (ii), but can only compare it as afore- 
said and display the result. 

35 An individual token for use in this system may 
take the form indicated in Figure 3, namely a hand- 
held device 1 similar in appearance to a conventional 
personal calculator (the usual functions of which it 
may also perform). A keypad 2 is provided for the en- 

40 try of data and a series of function keys 3 for entry of 
the commands appropriate to its operation. A liquid 
crystal display 4 is provided for checking the entered 
data, issuing prompts and displaying authenticators 
and pass/fail decisions. Preferably operation of the 

45 token itself requires entry of a user-defined PIN, to 
minimise the risk of its misuse if lost or stolen. 

Returning to Figure 1 it is assumed that the user 
at station A has a message to send to station 6. He 
enters the message into his token and enters the 

50 command for the token to perform its computation 
function (i). The message is therefore encrypted un- 
der the common key as modified by that token's stor- 
ed offset (offset A) to produce and display a corre- 
sponding authenticator. The message, together with 

55 this authenticator and the value of the offset A is then 
transmitted over the communications network to sta- 
tion B. The user at station B wants to verify that the 
message has been received without alteration and 
also to verify that the sender of the message is who 
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it is purported to be, namely user A. He therefore en- 
ters the message, the received authenticatorand the 
received offset A into his own token and enters the 
command for the token to perform its verification 
function (ii). The message is therefore encrypted un- 
der the same key as modified by the same offset as 
in the user As token to produce (but not display) an 
authenticator which is then compared with the re- 
ceived authenticator, and if it matches the token dis- 
plays a "pass" result. By this means user B can be 
confident that the message has been received with- 
out alteration. Since he also knows that the sender of 
the message must have had the authenticator dis- 
played to htm in order to transmit it and that the only 
token which can display that authenticator in re- 
sponse to that message is the one which has been ini- 
tialised with offset A then he can also be confident 
that it was actually sent by user A. 

These same tokens can be used in any other 
communication system where users wish to be able to 
verify the identity of other users but without neces- 
sarily involving message authentication as such. An 
example of this is shown in Figure 2. In this case the 
user at station B wishes to verify that the user at sta- 
tion A is an authorised user of the network. He ac- 
cordingly uses an additional function of his token to 
generate and display a random number, which is 
transmitted to user A as a "challenge". User A then 
uses his token to encrypt that number under the com- 
mon key as modified by his offset A to produce and 
display a "response" number. He transmits this num- 
ber together with the value of his offset A to user B 
who enters them into his token and performs the 
same verification function as if the original "chal- 
lenge" number was a received message and the "re- 
sponse" number was the corresponding authentica- 
tor. If a "pass" result is displayed, he similarly knows 
that user A is genuine because only that user could 
have had knowledge of the given "response" from the 
"challenge" using offset A in the encryption. 



Claims 

1 . A data communication system in which a plurality 
of users are equipped with respective devices 
each for the computation and for the verification 
of message authenticators; each such device 
storing a common cryptographic function, a com- 
mon secret cryptographic key and a respective 
non-secret offset for said key; and each such de- 
vice being programmed to perform selectably the 
functions of: (i) computing and outputting an au- 
thenticator for a message inputted to the device, 
using said cryptographic function and said key 
combined with the respective stored offset; and 
(ii) computing an authenticator for a message in- 
putted to the device, using said cryptographic 
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function and said key combined with any inputted 
offset, comparing that authenticator with an au- 
thenticator inputted to the device and outputting 

5 an indication of verification or non-verification 

based on said comparison; but each said device 
being incapable of outputting any authenticator 
computed using said cryptographic function and 
said key combined with any offset other than its 

10 respective said stored offset. 

2. Amethod of transmitting and verifying a message 
from a first user to a second user in a data com- 
munication system according to claim 1, which 

15 comprises the steps of: the first user operating a 
first said device to compute and output an au- 
thenticator for the message to be transmitted, by 
performing the said function (i); transmitting to 
the second user the message, the authenticator 

20 computed therefor and the identity of the respec- 
tive offset stored in the first said device; and the 
second user operating a second said device to 
verify the authenticator received from the first 
user, by performing the said function (ii) with said 

25 key combined with the offset identified with the 

first said device. 

3. A method of verifying a first user to a second user 
in a data communication system according to 

30 claim 1 , which comprises the steps of: the second 

user generating a random message and transmit- 
ting the same to the first user; the first user op- 
erating a first said device to compute and output 
an authenticator for said random message, by 

35 performing the said function (i); transmitting to 

the second user the authenticator computed for 
said random message and the identity of the re- 
spective offset stored in the first said device; and 
the second user operating a second said device 

40 to verify the authenticator received from the first 
user, by performing the said function (ii) with said 
key combined with the offset identified with the 
first said device. 

45 4. A device for a user of a data communication sys- 
tem to compute and verify message authentica- 
tors, the device comprising: means storing a 
cryptographic function common to the users of 
the system, a secret cryptographic key common 

so to the users of the system and a respective non- 
secret offset for said key; input means for mes- 
sages to be sent by the user or received from 
other users and for offsets and authenticators re- 
ceived from other users; output means for au- 

55 thenticators to be transmitted by the user and for 

indicating verification or non-verification of au- 
thenticators received from other users; and proc- 
essing means adapted to perform at the selec- 
tion of the user the functions of: (i) computing and 

4 
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outputting an authenticates for a message input- 
ted to the device, using said cryptographic func- 
tion and said key combined with the respective 
stored offset; and (it) computing an authenticated 
for a message inputted to the device, using said 
cryptographic function and said key combined 
with any inputted offset, comparing thatauthen- 
ticator with an authenticator inputted to the de- 
vice and outputting an indication of verification or 
non-verification based on said comparison; but 
said device being incapable of outputting any au- 
thenticator computed using said cryptographic 
function and said key combined with any offset 
other than its respective said stored offset. 
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